Stuxnet a threat to critical industries worldwide: experts
by Chris Lefkow Chris Lefkow Wed Nov 17, 2:31 pm ET
WASHINGTON (AFP) The Stuxnet worm that infiltrated Iran's nuclear facilities poses a threat to critical industries worldwide such as water, power and chemical plants, cybersecurity experts warned on Wednesday.
Sean McGurk, the acting director of the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC), described Stuxnet in testimony before a US Senate committee as a "game-changer."
Stuxnet, which was detected in July, has "significantly changed the landscape of targeted cyberattacks," McGurk told the Senate Committee on Homeland Security and Governmental Affairs.
"For us, to use a very overused term, it's a game-changer," he said.
Stuxnet targets computer control systems made by German industrial giant Siemens commonly used to manage water supplies, oil rigs, power plants and other critical infrastructure.
Most Stuxnet infections have been discovered in Iran, giving rise to speculation it was intended to sabotage nuclear facilities there, especially the Russian-built atomic power plant in the southern city of Bushehr.
Computer security firm Symantec said last week that Stuxnet may have been specifically designed to disrupt the motors that power gas centrifuges used to enrich uranium.
Dean Turner, director of Symantec's Global Intelligence Network, told the Senate panel that while 60 percent of the Stuxnet infections detected were in Iran it should be seen as "a wake-up call to critical infrastructure systems around the world."
"This is the first publicly known threat to target industrial control systems and grants hackers vital control of critical infrastructures such as power plants, dams and chemical facilities," Turner said.
Stuxnet was so complex that only a "select few attackers" could develop a similar threat but it highlights that "direct-attacks to control critical infrastructure are possible and not necessarily spy novel fictions," he said.
"The real-world implications of Stuxnet are beyond any threat we have seen in the past," Turner warned.
The New York Times reported in September that Stuxnet code includes a reference to the Book of Esther, the Old Testament story in which the Jews pre-empt a Persian plot to destroy them, and is a possible clue of Israeli involvement.
McGurk, the US cybersecurity official, declined to speculate about Stuxnet's origins or objectives but said US analysis "indicates that a specific process was likely targeted."
"While we do not know which process was the intended target, it is important to note that the combination of Windows operating software and Siemens hardware can be used in control systems across critical infrastructure sectors -- from automobile assembly lines to mixing baby formula to processing chemicals," he said.
"The concern for the future of Stuxnet is that the underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors," McGurk said.
"These systems are used to operate physical processes that produce the goods and services that we rely upon, such as electricity, drinking water, and manufacturing," he said.
"Although each of the critical infrastructure industries, from energy though water treatment, is vastly different, they all have one thing in common: they are dependent on control systems to monitor, control, and safeguard their processes," the US cybersecurity official said.
McGurk warned that "a successful cyberattack on a control system could potentially result in physical damage, loss of life, and cascading effects that could disrupt services."
He explained that with Stuxnet, "I don't have to break into the front door and actually steal the formula or the intellectual property of what you're manufacturing.
"I can actually go the devices themselves, read the settings and reverse engineer the formula for whatever the process is that's being manufactured," McGurk said. "In addition, I can make modifications to the physical environment so that you would be unaware of those changes being made.
"In other words, this code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product, and indicate to the operator and your anti-virus software that everything is functioning as expected," he said.
From propagandist site Popular Mechanics:http://www.popularmechanics.com/technology/military/4307521?page=2
How Vulnerable is U.S. Infrastructure to a Major Cyber Attack?
National security officials said that cyberspies hacked their way into the U.S. grid and left behind software programs that could disrupt the system, according to a story in today's Wall Street Journal. The news of a compromised grid confirms fears of some national security experts and politicians that hackers could take over a nuclear power plant or financial networks. In Popular Mechanics April 2009 cover story, Glenn Derene investigates how hackers could use the very computer systems that keep America's infrastructure running to bring down key utilities and industries, from railroads to natural gas pipelines. Here is our full report.
October 1, 2009 12:00 AM
The next world war might not start with a bang, but with a blackout. An enemy could send a few lines of code to control computers at key power plants, causing equipment to overheat and melt down, plunging sectors of the U.S. and Canadian grid into darkness. Trains could roll to a stop on their tracks, while airport landing lights wink out and the few traffic lights that remain active blink at random.
In the silence and darkness, citizens may panic, or they may just sit tight and wait for it all to reboot. Either way, much of the country would be blind and unresponsive to outside events. And that might be the enemy's objective: Divert America's attention while mounting an offensive against another country.
Pentagon planners have long understood the danger of cyber attacks on U.S. military networks. Indeed, the Defense Department's Global Information Grid is one of the most frequently targeted computer networks on Earth. But the cat-and-mouse game of information espionage on military networks is not the only digital threat that keeps national-security experts up at night. There is a growing concern over the vulnerability of far more tangible assets essential to the economy and well-being of American citizens.
Much of the critical infrastructure that keeps the country humming--water-treatment facilities, refineries, pipelines, dams, the electrical grid--is operated using a hodgepodge of technologies known as industrial control systems. Like banks and telecommunications networks, which are also generally considered critical infrastructure, these industrial facilities and utilities are owned by private companies that are responsible for maintaining their own security.
But many of the control systems in the industrial world were installed years ago with few or no cyber-security features. That wasn't a big problem when these systems were self-contained. But in the past two decades, many of these controls have been patched into company computer networks, which are themselves linked to the Internet. And when it comes to computer security, a good rule of thumb is that any device that is computer-controlled and networked is vulnerable to hacking.
Bad-guy hackers pulling the plug on public utilities is a common theme of Hollywood films, including 2007's Live Free or Die Hard, but such scenarios present more than a mere fictional scare to U.S. intelligence officials. According to Melissa Hathaway, cyber-coordination executive for the Office of the Director of National Intelligence, the list of potential adversaries in a cyber attack is long, ranging from disgruntled employees to criminals to hostile nations.
Most experts agree that China and Russia routinely probe our industrial networks, looking for information and vulnerabilities to use as leverage in any potential dispute. James Lewis, a cyber-security expert for the policy think tank Center for Strategic and International Studies (CSIS), says that although cyber warfare couldn't cripple the U.S., it could serve as an effective military tactic. "If I were China, and I were going to invade Taiwan," he says, "and I needed to complete the conquest in seven days, then it's an attractive option to turn off all the electricity, screw up the banks and so on." Could the entire U.S. grid be taken down in such an attack? "The honest answer is that we don't know," Lewis says. "And I don't like that answer."
Ghosts in the Machine
In January 2008, senior CIA analyst Tom Donahue dropped a bombshell on a small conference of government officials and power-company engineers from the U.S. and Europe. He told them that extortionists had managed to hack into utilities in multiple regions outside the United States and disrupt power equipment. "In at least one case," he said, "the disruption caused a power outage affecting multiple cities." The CIA has been highly secretive about the incident, and Donahue would not discuss where the blackouts occurred or what companies were affected. But he admitted that the CIA had no idea who had perpetrated the attacks. Hackers had shaken down a public utility, it seems, and had gotten away with it.
Some security professionals think that government officials have been guilty of as much drama-mongering on the issue as Hollywood has. "Honestly, I think the threat is overblown," says Bruce Schneier, author of Schneier on Security. "The risks today are due more to errors than to malicious intent." He sees Donahue's story as nothing more than a tenebrous rumor. Nevertheless, Schneier thinks vulnerabilities in infrastructure will eventually become a real national-security threat.
The problem is that the errors that Schneier refers to can cause bad things to happen. Much of computer hacking is predicated on exploiting glitches in commonly used systems. Such exploits on a Windows PC are irritating, but at a nuclear facility, they can be unnerving.
In August 2006, a glitch shut down the Browns Ferry nuclear power plant in northern Alabama. Plant administrators lost control of recirculation pumps on one of the plant's reactors because of excessive data traffic on the control-system network. The plant was forced to go offline temporarily.
Nuclear plants are designed to shut down in the event of major malfunctions to prevent a Chernobyl-style catastrophe. But they also generate almost 20 percent of U.S. power. What if a hacker exploited a coding error in a cooling system to shut down a sizable piece of the nation's power supply?
Incidents of digital malfunctions that cause danger to human life are rare, but such events have happened. In June 1999, in Bellingham, Wash., shortly before a routine delivery of gasoline by the Olympic Pipe Line Co., a worker updated a database for the company's pipeline computer-control system. According to a report by the National Transportation Safety Board, a simple typo in the database caused the system to fail, disabling remote control for the pipeline's operators, 98 miles away in Renton, Wash. Pressure began to build in the line, so the operator issued a command to open a secondary pump to relieve it, but the system was unresponsive. A weak point in the pipeline ruptured, releasing 237,000 gal of gasoline into nearby Whatcom Creek. An hour and a half later, the gasoline ignited. The ensuing fireball scorched more than a mile of riverbank, killing three people, including two 10-year-old boys, and damaged the city's water-treatment facility.
The Aurora Vulnerability
Conventional wisdom about digital attacks is that you can steal information, and you may even be able to shut down critical systems, but any damage would be temporary and superficial. A cyber attacker could generate a lot of confusion by killing the lights in California, but give the state and utility officials a few days to reset the systems, and everything would be back up and running. It's a phenomenon that infrastructure security expert Eric Byres, of Byres Security, refers to as "weapons of mass annoyance."
In 2007, however, a video leaked out of the Department of Homeland Security that showed an experiment the DHS had sponsored at Idaho National Laboratory. In the video, a massive, green diesel generator shakes violently and belches smoke as it goes into total meltdown. Dubbed the Aurora experiment, it demonstrated how an over-the-Internet cyber attack could cripple big, essential machines.
When the video hit CNN, it alarmed many in the utilities industry. Most of the details of the Aurora vulnerability have not been released, but DHS statements about the experimental hack describe it as a man-in-the-middle, or spoofing, attack, in which a malicious computer intercepts all traffic going between two other computers, essentially controlling the line of communication between them. According to Sean McGurk, director of control systems security for the DHS, the vulnerability was common to control systems throughout critical infrastructure.
The Saboteur's Story
The most Frequently told anecdote in the world of infrastructure cyber security is that of Maroochy Shire. The incident, which occurred in Queensland, Australia, is viewed by many in the industry as an object lesson in the damage that can be done when someone with computer skills and a grudge takes aim at a public system. In 2000, Vitek Boden, a computer expert in his late 40s who had been turned down for a job in municipal government, rigged up his laptop computer to a radio-frequency wireless transceiver to hack into the city's computerized wastewater management system. Over the course of two months, Boden broke into the system 46 times, instructing it to spill hundreds of thousands of gallons of raw sewage into rivers, parks and public areas. He was finally caught when a police officer pulled him over and found control-systems equipment in his car. The reason the Maroochy Shire incident is recounted so frequently is that it shows how difficult it is to thwart hackers who want to disrupt the infrastructure, since attacks can come from almost anywhere. An insider with detailed knowledge could target a specific company's system, or a hacker could launch an anonymous Internet assault from a distant country.
The Department of Homeland Security's Computer Emergency Readiness Team (known as US-CERT) encourages industry to report cyber accidents and intrusions, but there are few legal requirements for private companies to do so. It is possible that many more incidents have occurred, and companies have simply kept them quiet.
Infrastructure is meant to last a long time, so upgrades to existing systems tend to occur at a glacial pace. "There is a long life cycle associated with this," says Jeff Dagle, chief electrical engineer at the Department of Energy's Northwest National Labs. "Utilities are used to this equipment lasting 30 years." Nevertheless, big utilities and industrial facilities are starting to see cyber security as a reliability issue, and are modernizing their equipment, building redundant, multitiered networks (a tactic known in military circles as "defense in depth"). The caveat is that with big utility networks such as the electrical grid, telecommunications or pipelines, a clever adversary wouldn't attack the well-defended components of the system. "Why should I go after the company that put a lot of money into securing its networks when I can get into one that hasn't and damage them both?" asks the CSIS's James Lewis.
Ironically, the current weakness of the economy may provide a shot in the arm for the digital defenses of critical infrastructure. Much of President Obama's stimulus package is aimed at revitalizing infrastructure, and as antiquated equipment gets upgraded, modern security technology can be built in. One example is the Smart Grid, a Department of Energy plan that could receive around $4.5 billion to modernize the nation's electricity delivery system with state-of-the-art computer controls. Of course, more computing technology in the grid allows for more potential attacks, but it could also mean a more robust and nimble defense.
The result may be infrastructure networks that are a lot like the Internet itself. The redundancy and flexibility of the Internet's core architecture has allowed it to withstand two massive denial-of-service attacks--in 2002 and 2007--on the 13 Domain Name System root servers that make up the backbone of the system. In each instance, the servers absorbed incredible amounts of traffic as parts of the system either failed or came close to failing. To the engineers who run the system, it was terrifying, but the rest of the world barely noticed. If our infrastructure were that robust, the cyber war of the future might have little more impact on your life than a dimming of the lights and a shrug of your shoulders.